How to Upgrade Your GitHub API Authentication

Ciprian on Tuesday, March 24, 2020 in Blog

NEW! Learn JavaScript by example. Code snippets, how-to's and tutorials. Try now!

JavaScript Code

If you’ve been getting lots of email notices when using GitHub API calls related to:

Deprecation notice for authentication via URL query parameters

Please use the Authorization HTTP header instead, as using the access_token query parameter is deprecated. If this token is being used by an app you don’t have control over, be aware that it may stop working as a result of this deprecation. Depending on your API usage, we’ll be sending you this email reminder on a monthly basis for each token and User-Agent used in API calls made on your behalf. Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.

Here’s what you need to know, when using access_token as a query parameter, if you’re currently making an API call similar to:

curl ""

Instead, you should send the token in the header:

curl -H 'Authorization: token my_access_token'

When using PHP, here’s the correct approach:

// Switch to HTTP Basic Authentication for GitHub API v3
$curl = curl_init();

curl_setopt_array($curl, [
    CURLOPT_URL => $requestUri,
        "Authorization: token " . $authorizeToken,
        "User-Agent: YourAppName"

$response = curl_exec($curl);

Using JavaScript:

var data = null;

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
    if (this.readyState === 4) {
});"GET", "");
xhr.setRequestHeader("Authorization", "token 1234567890");
xhr.setRequestHeader("User-Agent", "YourAppName");
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Cache-Control", "no-cache");
xhr.setRequestHeader("Host", "");
xhr.setRequestHeader("Accept-Encoding", "gzip, deflate");
xhr.setRequestHeader("Connection", "keep-alive");
xhr.setRequestHeader("cache-control", "no-cache");


Or using the Fetch API:

var myHeaders = new Headers();
myHeaders.append("Authorization", "token 1234567890");

const requestOptions = {
    method: 'GET',
    headers: myHeaders,
    redirect: 'follow'

fetch("", requestOptions)
    .then(response => response.text())
    .then(result => console.log(result))
    .catch(error => console.log('error', error));

GitHub Authentication for WordPress Updater Solutions

If you are using GitHub to update your WordPress plugins (both public and private), switch to Andy Fragen’s solution. I have removed the GitHub updater from 10 plugins and 2 themes I am maintaining and switched to his GitHub Updater. I never looked back.

I wrote about this before, but maintaining a custom GitHub API solution is not worth it anymore.


Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *